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Abstract 

> 

00 

QQ . This paper presents a proof of correctness of an iterative approximate Byzantine 

OO ! consensus (lABC) algorithm for directed graphs. The iterative algorithm allows fault- 

free nodes to reach approximate conensus despite the presence of up to / Byzantine 
^J^ ■ faults. Necessary conditions on the underlying network graph for the existence of a 

P^ , correct lABC algorithm were shown in our recent work [151 I16j . |15j also analyzed a 

specific lABC algorithm and showed that it performs correctly in any network graph 
that satisfies the necessary condition, proving that the necessary condition is also suffi- 
cient. In this paper, we present an alternate proof of correctness of the lABC algorithm, 
using a familiar technique based on transition matrices [HI El [171 [l9j . 



The key contribution of this paper is to exploit the following observation: for a 
given evolution of the state vector corresponding to the state of the fault-free nodes, 
many alternate state transition matrices may be chosen to model that evolution cor- 
rectly. For a given state evolution, we identify one approach to suitably "design" the 
transition matrices so that the standard tools for proving convergence can be applied 
to the Byzantine fault-tolerant algorithm as well. In particular, the transition matrix 
for each iteration is designed such that each row of the matrix contains a large enough 
number of elements that are bounded away from 0. 



*This research is supported in part by National Science Foundation award CNS 1059540 and Army 
Research Office grant W-911-NF-0710287. Any opinions, findings, and conclusions or recommendations 
expressed here are those of the authors and do not necessarily reflect the views of the funding agencies or 
the U.S. government. 



1 Introduction 

Dolev et al. [5] introduced the notion of approximate Byzantine consensus by relaxing 
the requirement of exact consensus [H]. The goal in approximate consensus is to allow 
the fault-free nodes to agree on values that are approximately equal to each other (and 
not necessarily exactly identical). In presence of Byzantine faults, while exact consensus is 
impossible in asynchronous systems [7], approximate consensus is achievable [5]. The notion 
of approximate consensus is of interest in synchronous systems as well, since approximate 
consensus can be achieved using simple distributed algorithms that do not require complete 
knowledge of the network topology [3] . 

In this paper, we are interested in iterative algorithms for achieving approximate Byzan- 
tine consensus in synchronous point-to-point networks that are modeled by arbitrary directed 
graphs. The iterative approximate Byzantine consensus (lABC) algorithms of interest have 
the following properties, which we will soon state more formally: 

• Initial state of each node is equal to a real-valued input provided to that node. 

• Validity condition: After each iteration of an lABC algorithm, the state of each fault- 
free node must remain in the convex hull of the states of the fault-free nodes at the 
end of the previous iteration. 

• Convergence condition: For any e > 0, after a sufficiently large number of iterations, 
the states of the fault-free nodes are guaranteed to be within e of each other. 

Certain lABC algorithms have been shown to satisfy the above properties in fully connected 
graphs [5],[14], and in arbitrary directed graphs satisfying a tight necessary condition [TSlflG] . 
Please refer to [IHl [16] for a summary of the related work. 

The main contribution of this paper is to develop an alternate proof of correctness for a 
lABC algorithm, which was proved correct in arbitrary graphs that satisfy a necessary con- 
dition developed in our prior work [T5] . The alternate proof is based on transition matrices 
that capture the behavior of the lABC algorithm executed by the fault-free nodes. This 
work is inspired by, and borrows some matrix analysis tools from, other work that also uses 
transition matrices in related contexts [9], [3l [T71 [19] . This paper exploits the following obser- 
vation: for a given evolution of the state vector corresponding to the state of the fault-free 
nodes, many alternate state transition matrices may potentially be chosen to emulate that 
evolution correctly. For a given state evolution, we identify one approach to suitably "design" 
the transition matrices so that the standard tools can be applied to prove convergence of the 
Byzantine fault-tolerant algorithm in all networks that satisfy a necessary condition (proved 
in [16j) on the network communication graph. In particular, the transition matrix for each 
iteration is designed such that each row of the matrix contains a large enough number of 
elements that are bounded away from 0. 



2 Network and Failure Models 

Network Model: The system is assumed to be synchronous. The communication network 
is modeled as a simple directed graph G(y,S), where V = {1, . . . ,n} is the set of n nodes, 
and S is the set of directed edges between the nodes in V. Node i can reliably transmit 
messages to node j if and only if the directed edge {i,j) is in S. Each node can send 
messages to itself as well, however, for convenience, we exclude self-loops from set S. That 
is, (i, i) ^ £ ioT i ^ V. With a slight abuse of terminology, we will use the terms edge and 
link interchangeably in our presentation. 

For each node i, let N[' be the set of nodes from which i has incoming edges. That 
is, N~ = {j I (j, i) G £}. Similarly, define N^ as the set of nodes to which node i has 
outgoing edges. That is, N^ = {j \ ihj) & £}■ Since we exclude self-loops from £, i ^ N~ 
and i ^ Nl^ . However, we note again that each node can indeed send messages to itself. A 
necessary condition for correctness of an lABC algorithm for / > is that \N~\ > 2/ |15] . 



Node j is said to be an incoming neighbor of node i, if j G A^j . Similarly, j is said to be 
an outgoing neighbor oi node i, if j G N^. 



Failure Model: We consider the Byzantine failure model, with up to / nodes becoming 
faulty. A faulty node may misbehave arbitrarily. Possible misbehavior includes sending 
incorrect and mismatching (or inconsistent) messages to different neighbors. The faulty 
nodes may potentially collaborate with each other. Moreover, the faulty nodes are assumed 
to have a complete knowledge of the execution of the algorithm, including the states of all the 
nodes, contents of messages the other nodes send to each other, the algorithm specification, 
and the network topology. 



3 Iterative Approximate Byzantine Consensus (lABC) 

Each node i maintains state Vi, with Vi[t] denoting the state of node i at the end of the t-th 
iteration of the algorithm. Initial state of node i, f j[0], is equal to the initial input provided 
to node i. At the start of the t-th iteration (t > 0), the state of node i is Vi[t — 1]. 

Let J-" denote the set of faulty nodes. Thus, the nodes in V — J-" are non-faulty|l| 

• ^M — Kiaxjgv-J^ Vi[t]. U[t] is the largest state among the fault-free nodes at the end 
of the t-th iteration. Since the initial state of each node is equal to its input, U[0] is 
equal to the maximum value of the initial input at the fault-free nodes. 

• /i[t] = minjgv_jF Vi[t]. fi[t] is the smallest state among the fault-free nodes at the end 
of the t-th iteration. /x[0] is equal to the minimum value of the initial input at the 



^For sets X and Y, X — Y contains elements that are in X but not in Y. That is, 
X -Y = {i\ieX, i^Y}. 



fault-free nodes. 

The following conditions must be satisfied by an lABC algorithm in presence of up to / 
Byzantine faulty nodes: 

• Validity: Vt > 0, fi[t] > fi[t - 1] and U[t] < U[t - 1] 

• Convergence: Xvait-^ao U^ — ii^ = 0. Equivalently, limj_j.oo Vi[t] — Vj[t] = 0, for 

An iterative algorithm is said to be correct if it satisfies the validity and convergence 
conditions. We will prove the correctness of Algorithm 1 below in all graphs that satisfy the 
necessary condition in Theorem 2 of [I6]. The algorithm should be performed by each node 
i in the t-th iteration, t > 1. The faulty nodes may deviate from the algorithm specification. 
If a fault-free node does not receive an expected message from an incoming neighbor (in the 
Receive step below), then that message is assumed to have some default value. 

Algorithm 1 

Steps to be performed by node i in the t-th iteration: 

1. Transmit step: Transmit current state Vi[t — 1] on all outgoing edges. 

2. Receive step: Receive values on all incoming edges. These values form vector ri[t] of 
size |iV~|. 

3. Update step: Sort the values in rj[t] in an increasing order, and eliminate the smallest 
/ values, and the largest / values (breaking ties arbitrarily). Let N*[t] denote the 
identifiers of nodes from whom the remaining \N,j^\ — 2/ values were received, and let 
Wj denote the value received from node j G N*[t]. 

For convenience, define Wi = Vi[t — 1]. 

Observe that if j G {i} U N*[t] is fault-free, then Wj = Vj[t — 1]. 

Define 

Vi[t] = V" aiWj (1) 



je{i}uN*lt] 



where 

a,; 



\N-\-2f + l |iV*[t]| + l 

Recall that i ^ N*[t] because {i,i) ^ £. The "weight" of each term on the right-hand 
side of ([I]) is Oj, and these weights add to 1. 

Observe that < a^ < 1. 



For future reference, let us define a as: 



a = min Oj (2) 

Note that < a < 1. Specifically, a is a positive constant that is dependent only on 
/ and the graph G{V,S). 



Similar algorithms have been proven to work correctly in fully connected graphs [5l [15] 
and arbitrary directed graphs satisfying the necessary condition stated in ^5j . In this paper, 
we provide an alternate proof of correctness in such arbitrary graphs, using an alternate form 
of the necessary condition 



4 Matrix Preliminaries 



We use boldface upper case letters to denote matrices, rows of matrices, and their elements. 
For instance, H denotes a matrix, Hj denotes the i-th row of matrix H, and Hjj denotes the 
element at the intersection of the i-th row and the j-th column of matrix H. 



Definition 1 A vector is said to be stochastic if all the elements of the vector are non- 
negative, and the elements add up to 1. A matrix is said to be row stochastic if each row of 
the matrix is a stochastic vector. 

For a row stochastic matrix A, coefficients of ergodicity S{A) and A (A) are defined as 

m- 

5(A) := max max |Aj^j — Ajjjl, (3) 

j h,i2 

A(A) := 1 -min Vmin(Aijj ,Ai^j). (4) 

n,«2 ^ — ^ 

It is easy to see that < 6 (A) < 1 and < A (A) < 1, and that the rows are all identical if 
and only if 6{A) = 0. Additionally, A(A) = if and only if 6{A) = 0. 

The next result from [8j establishes a relation between the coefficient of ergodicity S{-) of 
a product of row stochastic matrices, and the coefficients of ergodicity A(-) of the individual 
matrices defining the product. 

Claim 1 For any p square row stochastic matrices Q(l), Q(2), . . . Q{p), 

(5(Q(l)Q(2)-.-Q(p)) < IlUX{Q{^)). (5) 



Claim [T] is proved in [8]. It implies that if, for all i, X{Q{i)) < 1 — 7 for some 7 > 0, then 
5(Q(1), Q(2) ■ • • Q(p)) will approach zero as p approaches 00. 

Definition 2 A row stochastic matrix H is said to be a scrambling matrix, if A(H) < 1 

mm- 



In a scrambling matrix H, since A(H) < 1, for each pair of rows ii and 22, there exists a 
column j (which may depend on ii and 22) such that Hj^ j > and Hjjj > 0, and vice- versa 
[H [18]. As a special case, if any one column of a row stochastic matrix H contains only non- 
zero elements that are lower bounded by some constant 7 > 0, then H must be scrambling, 

and A(H) < 1 - 7. 



5 Matrix Representation of Algorithm 1 

Recall that J-" is the set of faulty nodes. Let \J^\ = (p. Without loss of generality, suppose 
that nodes 1 through {n — 0) are fault-free, and if > 0, nodes {n — (j) + 1) through n are 
faulty. 

Denote by v[0] the column vector consisting of the initial states of all the fault- free nodes. 
Denote by v[t], where t > 1, the column vector consistsing of the states of all the fault-free 
nodes at the end of the t-th iteration, t > 1. The i-th element of vector v[t] is state Vi[t]. 
The size of the column vector v[t] is (n — 0). 



Claim 2 We can express the iterative update of the state of a fault-free node i {1 < i < n — cj)) 
performed in (QP using the matrix form in ^ below, where Mj[t] satisfies the following four 
conditions. 

Vi[t] = M,[t] v[t-l] (6) 

In addition to t, the row vector Mj[t] may depend on the state vector v[t — 1] as well as 
the behavior of the faulty nodes in T . For simplicity, the notation Mj[t] does not explicitly 
represent this dependence. 

1. Mj[t] is a stochastic row vector of size {n — (p). Thus, Mjj[t] > 0, for 1 < j < n — 0, 
and 

2. Mjj[t] equals ai defined in Algorithm 1. Recall that a^ > a. 

3. Mjj[t] is non-zero only if (j, i) & £ or j = i. 

4. At least \N[' fl (V — J-")! — / + 1 elements in Mj[t] are lower bounded by some constant 
/3 > 0, to be defined later (f3 is independent of i). Note that N~ fl (V — J-") is the set 
of fault-free incoming neighbors of node i. 



Proof: The proof of this claim is presented in Section [5TT] below. The last condition above 
plays an important role in the proof, and the main contribution of this paper is to "design" 
Mj[t] to make this condition true. □ 



By "stacking" ([6]) for different i, 1 < i < n — (p, we can represent the state update for all 
the fault-free nodes together using ([7]) below, where M[t] is a (ri — 0) x (n — 0) matrix, with 
its i-th row being equal to Mj[t] in (j6]). 

v[t] = M[t]v[t-1] (7) 

The four properties of Mj[t] imply that M[t] is a row stochastic matrix with a non-zero 
diagonal. Also, the i-th row of M[t] contains | A^~ fl (V — J-") | — / + 1 elements lower bounded 
by P {(3 will be defined later). This property of M[t] turns out to be important in proving 
convergence of Algorithm 1 . 

M[t] is said to be a transition matrix. 

By repeated application of ([7]), we obtain: 

v[t] = (nUM[z])v[0] 

5.1 Correctness of Claim [2] 

Figure [T] illustrates the various sets used here. Some of the sets in this figure are not yet 
defined, and will be defined later in the paper. 

We prove the correctness of Claim [2] by constructing Mj[t] for 1 <i <n — (j) that satisfies 
the conditions in Claim [2l Recall that nodes 1 through n — cf) are fault-free, and the remaining 
nodes (0 < /) are faulty. 

Consider a fault-free node i performing the Update step in Algorithm 1. Recall that the 
largest / and the smallest / values are eliminated from rj[t]. Let us denote by L and S, 
respectively, the set of nodecl from whom the largest / values and the smallest / values 
were received by node i in iteration t. Thus, \L\ = \S\ = f, N*[t] = N^^ — {L U S), and 

\N:[t]\ = \Nr-(LUS)\ = \Nr\-2f. 

For any set of nodes X here, let 6x and gx respectively denote the number of faulty nodes, 
and the number of fault-free nodes, in set X. For instance, 6l and ql denote, respectively, 
the number of faulty and fault-free nodes in set L. Thus, 

h + 9l = 5s + gs = f 

Let 

S= \Nrnn 



^Although L and S may be different for each i, for simplicity, we do not explicitly represent this depen- 
dence on t in the notations L and S. 
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Figure 1: Illustration of sets V, 7, Nr , N*[t\, L* and S* 



That is, the number of faulty incoming neighbors of node i is denoted as 6. Therefore, 

6 < (f) < f, and 



Then, it follows that 



gi = f-h = ^5 + 57v;[t] + (/-5), and 
9s = f-Ss = h + SN:[t] + if -S) 



(9) 



For fault-free node i, we now define the elements of row Mi[t]. We consider two cases 
separately: (i) f — 6 + Siy*[t] = 0, and (ii) f — 6 + Siy*[t] > 0. 

5.1.1 f-5 + 5N^[t]=0 

We know that (/ — 5) > and S^^it] > 0. Therefore, f ~ S + 6N*[t] = implies that f = S 
and SN*[t] = 0. Thus, in this case, all the nodes in N*[t] are fault-free. 



For each j G {i} U N*[t\, define Mjj[t] = Oj. Element Mjj[t] corresponds to the term 



aiWj in ([T]). 



Recall that a^ > a, and that each node in {i} U N*[t\ in this case is fault-free. 
For each j such that j G V - J" and j ^ {i} U N*[t], define Mij[t] = 0. 



Observe that with the above definition of elements of Mj[t], 

M,[i]v[t-1]= Yl «^^*^ 

ke{i}UN*lt] 

In the above procedure, we have set |A^*[t]| + 1 elements of Mjt] equal to aj (recall that 
ai > a). 

Now, because 5 = f and \N*[t]\ = \N-\ - 2/, we have jA^" n (V - J^)| - / + 1 = 
\Nr\-S-f + l = \N-\-2f + l = \N*[t]\ + l. Also, in this case a^ = l/{\N*[t]\ + l). Thus, 
it should be easy to see that the conditions in Claim |2] are satisfied by defining P = a. 



5.1.2 f-S + SN*[t]>0 

Since < 6]\[*[t] <S<f,f — 6 + Sn^h] > implies that / > 0. When / > 0, the necessary 
condition in [15j implies that \N^\ > 2/ + 1. Therefore, the set N*[t] is non-empty. As per 
dl]), each node k G N*[t] contributes aiWk to the new state Vi[t] of node i. We will define 
elements of Mi[t] to account for the contribution of each node k G N*[t]. 

Define subsets L* and S* such that L* C L, S* C S, L* n T = S* n T = ^, and 
|L*| = 15**1 = f — S + 6j\f*[t]- That is, sets L* and S* are subsets of L and S, respectively, 
each of size f — S + Sn^h], and containing only fault-free nodes. Expressions (|H]) and (^ for 
ql and gs imply that such subsets exist. 

Let 

and 

S* = {s, I l<j</-5 + 5^.[,]}. 

Consider any node k G N*[t]. For each j,l<j<f — S + 6]\f*[t], 

Vsj [t - I] < Wk < Vi^ [t - 1] 

Therefore, we can find weights A^j > and ipk^j > such that 

Afe,i + i'k,j = 1 

and 

Wk = \k,j vi. [t-i] + i)k,i f s, [t - 1] 

Clearly, at least one of the weights A^j and ipkj must be > 1/2. Now, observe that 

ai Wk = rr^ ^ (Afej vi^ [t -1]+ ^Jkj Vs^ [t - 1]) (10) 

N* [t] 



f-^ + ^m] !<,</-,+., 



The above equality is true independent of whether k is fault-free or faulty. We will later use 
the above equality for the case when fc is a faulty node. When k is fault-free, 

U!k = Vk[t-l], 

and we can similarly obtain the equality below. 

aiWk = -:^Vk[t - 1] + ^.._ . ' r Yl (^^'^^ '"h [^ " 1] + '^kj f s, [t - 1]) 



2 2(f — 5 + 5m*m] 



:iii 



We now use ([T]), f lTU]) and f lTT]) to define elements of Mjt] in the following four cases: 

• Case 1: Node i 

Define Mjj[t] = a,. This is obtained by observing in ([1]) that the contribution of node 

i to the new state Vi[t] is aiWi = aiVi[t — 1]. 

• Case 2: Fault-free nodes in N*[t] 

For each k e N*[t] fl (V - J"), define Mik[t] = f . This choice is motivated by fITT]) 
wherein the contribution of node k to aiWk is ^'^klt — !]• In Case 2, |A^,*[t] fl (V — J-")] = 
|A^~| — 6 elements of Mj[t] are defined. 

• Case 3: Nodes in L* and S* 

For l<j<f — S + SN*[t], consider Ij E L*. In this case, 

^iiM = y. 7 — t-Xa -^^'J' + zl/ oTT — J^A V'^'^J 

Similarly, for 1 < j < / — 5 + S]\f*[t], consider Sj E S*. In this case, 

keN*[t]nT ■' ^^« '^J A:ew*[t]n(V-J-) ^'^ ^^'^ 

These expressions are obtained by summing (jTOj) and (TTT]) . respectively, over the faulty 
and fault-free nodes in A^*[t], and then identifying the contribution of each node in 
L* and S* to this sum. Recall the earlier observation that at least one of Xkj and 
ipk,j must be > 1/2 for each pair k,j where k G N*[t] and l<j<f — S + 6]\f*[t]. 
Therefore, it follows that at least f — 6 + Sj\[*[t] elements of Mj[t] defined in Case 3 
must be > .,. .% r. 

• Case 4: Nodes in (V - J") - {{i} U N*[t] U L* U S*) 

These fault-free nodes have not yet been considered in Cases 1, 2 and 3. For each node 
ke{V-T)- {{i} U N*[t] U L* U 5*), we assign Mik[t] = 0. 



Observe that above the definition of the elements of Mj[t] ensures that 

Y, aiWj = M,[t]v[t-1] 

j€{i}UN*[t] 

However, the contribution by the fauhy nodes in N*[t] in ([1]) is now replaced by an equivalent 
contribution by the nodes in L* and S*. 

Now let us verify that the four conditions in Claim |2] hold for the above assignments to 
the elements of Mj[t]. 

1. Observe that all the elements of Mjt] are non-negative. Case 1 specifies just Mjjt] = 
Oj. The elements of Mjt] specified in Case 2 add up to 

||iv;[t]n(v-^)| 

Recall that for each j, 1 < j < {f — S + 6n* [t] ) , ^k,j + "ipkj = 1 for A; G A^* [t] . Therefore, 
when added over all k G N*[t] and 1 < j < (/ — 5 + Sj\f*[t]), the elements of Mj[t] 
specified in Case 3 add up to 

a. |iv;[t]n^| + ||iv;[t]n(v-^)| 

Therefore, when all the elements of Mj [t] defined in Cases 1, 2 and 3 are added together, 
we get 

a, + ai\Nl[t]nT\ + ai\N*[t] niV-T)\ = a,(|iV;[t]| + 1) = 1 

because a^ = l/(|A^/[t]| + 1). Now observe that the elements specified in Cases 1, 
2 and 3 are clearly < 1. In the expression for Mj/-[t] in Case 3, observe that the 
two summations on the right side together contain |A^*[t]| terms, and in these terms, 
observe that Xkj < 1, f — 6 + SN*[t] > 1 and Oj = rji^^^hrnii- Therefore, Mj/Jt] < 1. 
Similarly, we can show that Mj^, [t] < 1 as well. 

Thus, we have shown that Mjt] is a stochastic vector. 

2. Mjj[t] = Oj as specified in Case 1. 

3. Since Mjj[t] is defined to be non-zero only in Cases 1, 2 and 3, which consider the 
nodes only in {i} U A'^"^, it follows that Mjj[t] is non-zero only if (j, i) & S ot j = i. 

4. Cases 1 and 2 together set 1 -F | iV; [t] fl ( V - J") | = 1 + 1 iV* [t] | - 6n* [t] elements of M^ [t] to 
be > aj/2. We observed earlier that Case 3 results in at least f — 6 + (57v*[t] elements of 
Mj[t] being > ^.,_ "^ — y Also, observe that the elements of M,j[t] specified in Cases 

1 and 2 are distinct from those specified in Case 3, and that ^ > Mf_s+s — y Thus, 

overall, at least 

(l + \N*[t]\-6^^[,]) + f-6 + 6N^[t] = \N*[t]\ + f-6 + l = \Nr\-f-6 + l 

= |iv,-n(v-^)|-/-i 



elements of Mjtl are set > .,, ,°:\ r. Derivation of the above equation uses the 

facts that |A/,*[t]| = lA/""] - 2/ and |A^" H (V - J^)| = |A/'i"| - (5. Then by defining /3 as 
below, condition 4 in Claim |2] holds true. 
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a 



Therefore, Claim |2] is proved correct. 



5.2 Correspondence Between Sufficiency Condition and M[t 

Let us define set Rjr of subgraphs of G'(V, £^) as follows. 

Rjr = {H \ H is obtained by removing all the faulty 
nodes from V along with their edges, and then 
removing any additional / incoming edges 
at each fault-free node} (12) 

Thus, V — J-" is the set of nodes in each graph in Rjr. 

Let T denote \Rjr\- t depends on J-" and the underlying network, and it is finite. 

Claim 3 Suppose that graph G{V, S) satisfies the necessary condition in Theorem 2 in JTB]. 
Then it follows that in each H G Rj^, there exists at least one node that has directed paths 
to all the nodes in H (consisting of the edges in H). 

Proof: The proof follows from Theorem 2 of [16]. □ 

In this discussion, let us denote a graph by an italic upper case letter, and the correspond- 
ing connectivity matrix using the same letter in boldface upper case. Thus, H will denote 
the connectivity matrix for graph H G -Rj-; H is defined as follows: (i) for 1 < i,j < n — (p, 
if there is a directed link from node j to node i in graph H then Hij = 1, and (ii) Ha = 1 
for 1 < i < n — (f). Note that in our notation, the i-th row of H (that is, Hj) corresponds 
to the incoming links at node i, and the self-loop at node i. The connectivity matrix H for 
any H G Rjr has a non-zero diagonal. 

Lemma 1 For any H G -Rjr, H"'"'^ has at least one non-zero column. 

Proof: By Claim [3|, in graph H there exists at least one node, say node fc, that has a 
directed path in H to all the remaining nodes in H. Since the length of the path from k to 



any other node in H can contain at most n — — 1 directed edges, the /c-th column of matrix 
H"^*^ will be non-zero|j □ 



Definition 3 We will say that an element of a matrix is "non-trivial" if it is lower hounded 
hyP. 

Definition 4 For matrices A and B of identical size, and a scalar 7, A < 7 B provided 
that Ajj < 7Bjj for all i,j. 

Lemma 2 For any t>l, there exists a graph H[t] G Rjr such that /3H[t] < M[t]. 



Proof: Observe that the i-th row of the transition matrix M[t] corresponds to the state 
update performed at fault-free node i. Recall from Claim |2] that the Mjj is non-zero only 
if link {j,i) G £. Also, by Claim [21 Mj[t] (i.e., the i-th row of M[t]) contains at least 
I A^~ n (V — J-") I — /+ 1 non-trivial elements corresponding to fault-free incoming neighbors 
of node i and itself (i.e., the diagonal element). 

Now observe that, for any subgraph H G -Rjr, i-th row of H contains exactly |A^j~ fl (V — 
J-")! — / + 1 non-zero elements, including the diagonal element. 

Considering the above two observations, and the definition of set Rjr, the lemma follows. 

D 



6 Correctness of Algorithm 1 

The proof below uses techniques also applied in prior work (e.g., [9l [3l [T71 [H]), with some 
similarities to the arguments used in [T71 [19] . 



Lemma 3 In the product below o/H[t] matrices for consecutive T{n — (f)) iterations, at least 
one column is non-zero. 



■^That is, all the elements of the column will be non-zero (more precisely, positive, since the elements of 
matrix H are non- negative) . Also, such a non-zero column will exist in H"~'^~^ too. We use the loose bound 
of n — to simplify the presentation. 



Proof: Since the above product consists of T{n — 0) matrices in Rjr, at least one of the 
r distinct connectivity matrices in Rjr, say matrix H^,, will appear in the above product at 
least n — (f) times. 

Now observe that: (i) By Lemma [H H""''^ contains a non-zero column, say the k-th 
column is non-zero, and (ii) all the H[t] matrices in the product contain a non-zero diagonal. 
These two observations together imply that the k-th column in the above product is non-zero. 

D 

Let us now define a sequence of matrices Q(i) such that each of these matrices is a 
product of T{n — 0) of the M[t] matrices. Specifically, 

Q(0 = n:5:f)l(„-,)+i M[t] 

Observe that 

^r[kT{n - <!>)] = {Ul, Q{z)) v[0] (13) 

Lemma 4 For i > 1, Q(i) is a scrambling row stochastic matrix, and A(Q(i)) is bounded 
from above by a constant smaller than 1. 



Proof: Q(z) is a product of row stochastic matrices (M[t]), therefore, Q(i) is row stochastic. 

From Lemma O for each t, 

/3H[t] < M[t] 

TliGrcforc 

^.(n-,) n:5:S.(„_,)+i H[t] < Q(^) 

By using z = {i — l){n — (p) + 1 in Lemma |3l we conclude that the matrix product on the left 
side of the above inequality contains a non-zero column. Therefore, Q(^) contains a non-zero 
column as well. Therefore, Q(^) is a scrambling matrix. 

Observe that T{n — (p) is finite, therefore, f3'^^'^~^' is non-zero. Since the non-zero terms 
in H[t] matrices are all 1, the non-zero elements in n*j',"_-^? . _ ,^ -^H[t] must each be > L 
Therefore, there exists a non-zero column in Q(i) with all the elements in the column being 

> /J^^"--^). Therefore A(Q(i)) < 1 - /3^("-'^). D 

Theorem 1 Algorithm 1 satisfies the validity and the convergence conditions. 

Proof: Since v[t] = M[t]f[t — 1], and M[t] is a row stochastic matrix, it follows that 
Algorithm 1 satisfies the validity condition. 



By Claim [H 



hm <5(n*^iM[t]) < hm ntiA(M[t]) (14) 

i— >oo I— >oo 

rLT(n-(^)J 



< limner ^'^A(Q(^)) (15) 

(16) 



t-^oo 



The above argument makes use of the facts that A(M[t]) < 1 and A(Q(i)) < (l-/3^("~*)) < 1. 
Thus, the rows of n*^j^M[t] become identical in the hmit. This observation, and the fact 
that v[t] = (n*^]^M[i])v[t — 1] together imply that the state of the fault-free nodes satisfies 
the convergence condition. 

Now, the validity and convergence conditions together imply that there exists a positive 
scalar c such that 

limv[t] = lim (n*^iM[z])) v[0] = cl 

t—^oo t— s-oo 

where 1 denotes a column with all its elements being 1. 

D 



7 Extension of Above Results 

In this paper, we analyzed lABC Algorithm 1 designed for synchronous systems. Similar 
analysis also applies for lABC Algorithm 2 presented in [16] for asynchronous systems. 



The analysis will also naturally extend to an lABC algorithm for the partially synchronous 
algorithmic model presented in [1], which assumes a bounded delay in propagation of state 
between neighbors, and a bounded delay between consecutive state updates at each node 
in the network. The generalization of Algorithm 1 to the partially synchronous algorithmic 
model will allow a node i, if performing state update in iteration t, to form vector rjt] 
using the most recent known states of its incoming neighbors; these states of the neighbors 
may correspond to any of the prior B iterations, for some bounded B. A similar lABC 
algorithm can also be used in time- varying network topologies (i.e., networks wherein the 
set of links available in iteration t varies with t); the above analysis will then extend to time- 
varying topologies as well, with the algorithm performing correctly so long as the connectivity 
matrices for the graphs at different t jointly satisfy some reasonable properties, as in PIISflTT]. 



8 Summary 

We presented a proof of validity and convergence of Algorithm 1 by expressing the algorithm 
in the matrix form. The main contribution of the paper is to express the algorithm in 
matrix form that allows us to prove its convergence under certain necessary conditions on 
the underlying communication graph. Thus, the proof implies that the necessary conditions 
are also sufficient. The key to the proof is to "design" the transition matrix for each iteration 
such that each row of the matrix contains a large enough number of elements that are 
bounded away from 0. 
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